User access restrictions control access to functionality on various levels:
They determine which functions users may access. This covers the access ofUI pages and menus.
In addition, the restrictions indicate which protected data may be accessedfrom the functions. For example, a user can access a normal address, but cannotsee a secured address.
Furthermore, the restrictions indicate if the user may read, create, updateand / or delete data.
Protected data refers to data that requires fine grained security. Bydefault, data is implicitly protected by controlling access to the functionsthat create, read, update and delete it. Data that requires more protection thanthis is referred to as protected data. With protected data, the values ofspecific fields are also taken into consideration. For example, contracts can beprotected based on the data access group. This protection is in addition to theprotection from controlling access to the contract screens.
Function and data access need to be coordinated. In order to access protecteddata, users must have access for both the protected data and the functions thatmaintain the data.
For convenience reasons, access restrictions are defined per 'functional'role and then users are given access to the roles. This simplifiesadministration of user access by allowing set up to be done per role instead ofper user. When several users perform the same role, the role can be set up onceand all the users can be assigned to it. Users may be assigned to more than onerole. In this case access is cumulative (users have access to the functions andprotected data that is included in any of their roles).
This document describes the data model that is the basis for implementinguser access restriction functionality.
User Role
A user role gives a user the privileges of a role. For example, a user withthe 'Contracts Manager' role can access the functions and data for which the'Contracts Manager' role has permissions.
| User Role | |
|---|---|
Field | Description |
User | The user. |
Access role | The role granted to the user. |
Note: In case of conflicting grants, for example the user has view only grant through one role and is allowed to edit through another role, then the most non restive grant applies, that is, the user is allowed to edit.
Access Restriction Grant
An access restriction grant connects a role to an access restriction. Userswith the role, get the right to access the function or data that is protected bythe access restrictions.
Furthermore, it indicates the level of access in terms of having read,create, update and / or delete rights by setting the Create, Retrieve, Updateand Delete (CRUD) indicators. These indicators have a different meaning,depending on the specific type of access restriction. For details refer chapterdata access restrictions.
| Access Restriction Grant | |
|---|---|
Field | Description |
Access Role | The access role the grant is for. |
Access Restriction | The access restriction to which access is granted. |
Create indicator | Depends on the type of access restriction. |
Retrieve indicator | Depends on the type of access restriction. |
Update indicator | Depends on the type of access restriction. |
Delete indicator | Depends on the type of access restriction. |
